IEC 62304 §9.2 problem investigation and ISO 14971 risk analysis covering product applicability and root cause analysis for known issues.
Structured vulnerability analysis covering CVSS environmental scoring, defense-in-depth context, all affected product versions, root cause categorization, and safety and effectiveness impact assessment.
Vulnerability analysis records with safety impact assessment and environmental CVSS adjustments — bulk CVE acceptance or dismissal without applicability analysis is a critical gap under FDA scrutiny.
Maps to
IEC 81001-5-1: §9.4 Analysing VULNERABILITIES
IEC 62443-4-1: §DM-4
Requirement text
Analyse vulnerabilities including: a) assessing impact with respect to technical security context (IEC 62443-4-1), intended environment of use, and defense-in-depth strategy; b) impact per vulnerability scoring (e.g., CVSS); c) identifying all affected product versions; d) identifying root cause; e) identifying related security issues; f) assessing impact on product safety and effectiveness.
Why this clause exists
Vulnerability analysis — determining the root cause, exploitability, impact, and relationship of a vulnerability to the design and implementation — is the technical foundation on which all remediation decisions rest. Organizations that move directly from vulnerability report to patch without performing a structured analysis frequently produce patches that address the reported symptom rather than the underlying cause, leaving related vulnerabilities in the same code path unexplored. They also miss the opportunity to identify whether the vulnerability is an instance of a pattern — a class of input validation errors, a design assumption about trust boundaries — that affects multiple components beyond the one reported. IEC 81001-5-1:2021 clause 9.4 requires formal analysis of confirmed security vulnerabilities before remediation decisions are made, ensuring that the root cause is understood, the CVSS score is calculated with full information, and the security risk management process (clause 7) is updated to reflect the newly identified vulnerability. The analysis output feeds the risk management record, ensuring that the discovered vulnerability is captured in the permanent security risk documentation rather than only in an informal issue tracker.
What changed
IEC 81001-5-1:2021 is the first standalone cybersecurity standard purpose-built for health software and medical device software. Published in December 2021, it was adapted from IEC 62443-4-1 (industrial control systems security) to address the unique safety and regulatory context of medical devices — adding health-specific requirements that account for patient safety, clinical workflows, and the manufacturer-HDO relationship.
The standard mirrors IEC 62304's lifecycle structure but adds security-specific activities at every phase — planning, development, testing, release, and maintenance. It requires security risk management to be integrated with ISO 14971 safety risk management, not treated as a separate IT concern. FDA formally recognized it as Consensus Standard 13-122 on December 19, 2022 and references it as providing one acceptable framework for satisfying the cybersecurity requirements of Section 524B(b)(2), which requires manufacturers to design, develop, and maintain processes and procedures to provide a reasonable assurance that cyber devices and related systems are cybersecure.
EU MDR harmonization was originally targeted for May 2024 but postponed to May 2028. Despite this delay, Notified Bodies and Competent Authorities universally recognize it as "state of the art" for health software cybersecurity under MDR GSPR Annex I, Section 17.2. Missing or inadequate cybersecurity documentation is already a top cause of Notified Body major non-conformities for SaMD. A December 2025 Interpretation Sheet (ISH1:2025) clarified software item classification into maintained, supported, and required software categories, affecting risk transfer and post-market obligations.
Common gaps (what we see in audits)
- Vulnerability applicability analysis missing — When CVEs are disclosed for SBOM components, manufacturers do not perform applicability analysis to determine whether the vulnerability is exploitable in their specific product configuration. Either all CVEs are treated as applicable or all are dismissed without analysis.